This is the 202nd article in the Spotlight on IT series. If you'd be interested in writing an article on the subject of backup, security, storage, virtualization, mobile, networking, wireless, DNS, or MSPs for the series PM Eric to get started.

A little over a year ago, I became the third IT admin in a company of 300+ across several Iowa locations. My first duties were to familiarize myself with common help desk issues, as well as get involved in the products and services that we sell to customers. Last December, I was part of a radical push in our company to replace BlackBerry and flip phones with iPhones. It was a huge change for our company, as it meant iPhones in the hands of our office employees and tradesmen who may have never touched a modern smartphone.

Our company was generous (especially in current conditions) to replace every company-provided cell phone with an iPhone 4 or 5 — even for those whose work phone was also their only cell phone and used for personal use. But with great power comes great responsibility, and we knew we had to exercise the same amount of control over iPhones we had over BlackBerry. That’s why we looked at mobile device management solutions.

Even though we’re not a technology-centric company, the past six months have been huge for us with technology. We’re increasingly going paperless, and looking to utilize mobile apps that our appliance vendors have to offer.

With this move, we were able to retire our aging and function limited BES and collected the 50–75 BlackBerrys we supported. The BlackBerry was a great work tool — especially if you didn’t want your employees to goof around on them. But when you’re in an industry where your vendors are selling apps only for Android and iOS that you would either use or sell to your customers, you can’t leave yourself out in the cold.

We chose to adopt an iOS-only policy for our environment, mostly because of standardization and simplicity. We’re short staffed and supporting phones is a small portion of our duties, so extending our support to other platforms adds complications we can’t afford. Too often threads that ask, “What mobile platform should I adopt for my company?” turn into a flame war. The only person who can answer if something is “best” (hate that word) is the person that’ll be supporting it.

When I started doing my research into MDM solutions, of course my first stop was here. Anyone who has, is, or will be looking for MDM solutions should just bookmark it now. Every new forum thread that begins with, “I need an MDM solution” ends with, “See this thread.” There’s some amazing research in there, the community can share their experience, and vendors are always ready to answer questions.

We tried Meraki because, of course, it’s free. Free is great, and Meraki is actually a good value for the cost. For small scale, or if you’re just not looking to enforce that much control, it’s definitely a good starting point. Even if you know you want to use a more complex product as a cost, free products like Meraki give you an idea of what you want, without burning your trial time with the competition. Before you engage a paid service, know what you’re looking for, what you’re looking to pay, and have plenty of questions.

After seeing positive reactions to MaaS360, we gave it a try. When we started experimenting with MaaS360, we didn’t know where to begin. Luckily, their great sales and customer support teams really reaches out to get you in the driver’s seat. Setting up an MDM for the first time is a little tricky, but Fiberlink’s step-by-step instructions with pictures are really foolproof. Getting our account set up, creating profiles, and using the Cloud Extender to reach our Active Directory took about a week in between all of our other duties, but it probably wouldn’t take as long if you’ve got your workload under control. Just make sure you confirm every setting you want, especially with Exchange, because refreshing ActiveSync settings triggers the phones to ask for their passwords, which you don’t want to do just because you’re fixing something down the road.

Here’s where I got into trouble: we deployed 200+ iPhones in two days.

Back to back hour-long sessions introducing the phones to employees and walking them through the enrollment process was (almost) enough to get them comfortable with the devices. We bought an Apple TV and projected it so they could see my phone and follow along. Having a visual aid and sessions where you walk them through the process can be very beneficial. However, we didn’t plan early enough. Our on-site Verizon reps helped out by signing up our employees with Apple IDs before their enrollment session. The problem was, signing up for an Apple ID is really a two-step process: creating it and completing it.

Completing it means adding security questions and a payment method, which we didn’t have time for in the enrollment session. We needed completed Apple IDs to get the MaaS360 client app on these phones before they left, but we didn’t have time for them to pull out credit cards or get gift cards, even though it’s a free app.

To save time and get the employees out in a timely manner, we just installed the MaaS360 app with our own Apple IDs (note: create a work-only account for yourself separate from your personal one to avoid accidents).

I thought to myself, “Self, the MaaS360 app is just a client that relays telemetry, so what are the odds they’ll update it anytime soon?” The answer was: the next week. Actually, I accidentally installed Find My iPhone on a few with my Apple ID during that grace period and that was updated the very next day. This meant that when our employees saw the “red one”, they got prompted for my Apple ID to update the app, because I owned that install. With employees already in the field, our solution to them was to just delete it and reinstall it, which meant they just deleted it and never reinstalled it.

Looking forward, we’re working on deploying free and paid apps to our employees for commercial and industrial use.

Let’s face it: there’s no real point in forcing apps that you like on your users if they don’t know how to use it yet. If they know they want an app, they can just go get it. If you’ve got users like me, the moment you push anything to their device, and it requires any amount of user intervention that they don’t understand, they’ll freak out and you’ll be hearing about the “inconvenience.” Plan ahead before you trigger anything on employee devices and make sure they’ll know what to do and why it’s happening.

We registered for an Apple VPP account and found an app we’d like to buy for our employees. With VPP, you buy X number of licenses of the app for that multiplied value, and get a spreadsheet with redemption codes to either input manually, or plug into your MDM. I made an Active Directory group that replicates to MaaS360 and used that group for an app distribution.

We’re still piloting the use of this app, and I want to retain control over who can consume the limited number of licenses we purchased. Otherwise, I’d distribute it to everyone without telling them, tell one person to try it, it spreads, and everyone tries to install it just because someone else has it. My licenses get redeemed and no one tries it, and I don’t have any data that justifies buying 200 more licenses.

Lessons learned

Plan waaay in advance. Deploying a large amount of devices? Make sure everyone gets the accounts they need weeks in advance. Believe it or not, not everyone has an Apple ID or Google account. In the time it takes to have devices delivered to your door, your employees can prepare or you can make them on their behalf.

Figure out how you’re going to deploy (IT department enrolls each phone vs. employees enrolling themselves), and simulate it in small scale to calculate the time necessary.

Register for a volume app purchasing account and buy a cheap app for your IT department so you know how the process works.

Above all else, know your users and what level of assistance they’ll need with any technology you give them. It’s very relieving when we hire someone and I ask them, “Ever use a computer before? An iPhone?” and the answer is yes, but there are plenty out there in the workforce that you might give an iPhone who will say, “Nope, nope, nope! I want my flip phone! You can’t make me use modern technology that enables me to improve my work!” To them, I say, “Sorry, your employer wants to give you something nice and there’s nothing you can do about it.”

​---

See what other IT pros have to say about smartphones and mobile device management solutions in Spiceworks' Product Reviews. And, while you're at it, why not download the Spiceworks 7.0 Beta? Test drive 7.0 today and be among the first to get your hands on Spiceworks' free, integrated MDM capabilities — giving you the ability to inventory/monitor phones and tablets on your network and view device details, OS, installed apps, and more.

I just wish I had the chance to read something like this a couple of months ago, before our rollout!! I had the same issues, and to make it better, we combined BYOD with the retraction of our BB's. To top it off, I don't even have the iPhone 5 to play/work with!!! What Fun!!

We don't push any apps, but we've created a big list of apps they might be interested in. They are welcome to get them, and we can help them with them, but we leave it up to them to experiment/ask for help.

Thank you for the kind words regarding the MDM research, ranhalt! I'm a firm believer in the power of the Spiceworks Community to contribute helpful solutions and research for the benefit of other Spiceheads.

That being said, I encourage anyone researching MDM to share what you've uncovered with the rest of us, and if you've found a gem of an Article or a How To, spice it up!

Be careful when using a corporate Apple ID and setting up replacement or new devices with it. The default now is to message everyone with the Apple ID and you must manually remove the extra devices from the configuration. Otherwise you may find your text messages broadcast to everyone- that includes to and from. A word to the wise.

GAWDAMN! All the more reason i'm sticking to laptops and blackberry's. Seriously where I come from; vendors havent moved to IOS/ANDROID apps. So the phones are mainly email reading only; but damn this is a good read and great horror story to give to management :)

Great article ranhalt. I'm in the beginning of a iPhone rollout replacing 20 Blackberrys and 5 flip phones. With only the BB's swapping our for iPhones.

My concern is the Apple ID.

Should there be only one company account for the 20 iPhones?

How would allow users to add apps?

Or should I let everyone use a personal Apple ID using their credit card?

This are some of the concerns going into the conversion.

The company is still not sure what access to grant to users and what to block but are open to suggestions.

What are your experiences so far with employees & Apple ID's?

What I do, and I don't know if this is a good idea or not, is create a new Apple ID for each user, using their company e-mail address as their Apple ID, setting their date of birth to 01/01/80 and creating my own security question. I then put these details in the box when I give them the phone. They are then free to add their own credit card details, change their security settings etc etc, although I suspect most won't bother and will use the defaults I've given them.

I use Meraki. I've create a profile to enforce company policies, but my main issue is that you can't prevent users from deleting the Meraki profiles from their phones. This is a limitation set by Apple.

I suspect iPhones are easy to configure and manage if you have 200 phones - as you have the resources to implement a sophisticated MDM system. And they're easy to configure if you have 1 phone. But if you have around 20, as we do, it's not very satisfactory. For example, the requirement to enter a date of birth when you create an Apple ID doesn't really work in a corporate setting. It all feels like a bit of a fudge.

we just did a similar project but smaller scale, less than 50 users going from berry to Android, and we had this all planned out in advance, from the users getting themselves a Google login to ordering Samsung flip covers and Media Devil screen guards -- we had a few minor issues with users forgetting their PINs on day one and one person sittign on their phone on day 2. We staged it so we were not doing all of them @ once.

i feel for you having to role out 200+ iPhones, might have been better to do it in batches, but that would depend on a lot of factors and trying to run a BES and new MDM. Not a big Apple fan, but hell of a job to get done in a short period.

I'm dealing with this issue right now, trying to figure out how to handle the AppleIDs.

Here, we have each user create their own Apple ID. The company doesn't want to have to deal with people downloading non-free games/apps. They can use their own credit card if they wish to purchase apps, or they can not put in a payment method at all. They will still be able to download free apps.

Granted, this method may make centralized management a bit cumbersome, but most of the reasons to use a centralized management system are negated by them having their own Apple ID's. Plus, I can still remote wipe with Exchange.

I guess it really depends on the company and how they want to handle everything.

I recently did 15 iPhones and iPads using Apple VPP and Meraki for my MDM (free.) It is complicated. Originally, Apple made you purchase a $299/year enterprise developer license to be able to do any kind of MDM. Thankfully, they got rid of that requirement and now it's free.

I recommend doing that and giving them their own IDs. Setting up an ID without a payment option IS tricky. It's not obvious how to do it. You basically have to attempt to install and app and THEN you create the ID from there.

Other option is assigning 1 ID for multiple devices. I originally did it this way, but I had to constantly enter in the password for my staff as the ID was tied to a credit card and I didnt want that given out freely. Another issue is you can only do 10 devices per ID. A small perk is you can buy an app 1 time and essentially install it on all of them. Not a big deal since nearly all apps are dirt cheap.

I recommend going Apple VPP. It's still confusing, but it is better in the long run.